Skip to content
All posts

PR: Codenotary to Support SBOM Standards: CycloneDX 1.6 and SPDX 3.0

Codenotary is dedicated to improving software supply chain security through state-of-the-art technology solutions. We are excited to announce that we will support the latest versions of two key SBOM standards, CycloneDX 1.6 and SPDX 3.0, within the next few weeks. Our clients will soon be able to take advantage of the enhanced features these updates offer.

CycloneDX 1.6: Key Enhancements

The latest iteration of CycloneDX introduces several significant enhancements that expand its capabilities in managing software vulnerabilities and dependencies:

  • Cryptographic Bill of Materials (CBOM): A new structured framework to inventory cryptographic assets, preparing for the shift to quantum-safe cryptography. This enhancement is vital for identifying weak cryptographic algorithms and promoting cryptographic agility​ (OWASP CycloneDX SBOM)​.

  • CycloneDX Attestations (CDXA): These attestations allow organizations to automate the production of compliance evidence. By making "compliance as code" possible, CDXA simplifies the management of compliance documentation and facilitates security discussions​ (OWASP CycloneDX SBOM)​.

  • Enhanced AI/ML Transparency: CycloneDX 1.6 integrates environmental considerations, such as energy usage and CO2 emissions, into AI/ML model cards, fostering sustainable technological practices​ (OWASP CycloneDX SBOM)​.

  • General Capabilities: The update supports a broad array of component types, including hardware devices and machine learning models, allowing for detailed representation of software, hardware, and service dependencies​ (OWASP CycloneDX SBOM)​​ (OWASP CycloneDX SBOM)​.

SPDX 3.0: Major Updates


SPDX 3.0, developed by the Linux Foundation, has been revamped with new features that streamline the management of software bills of materials across different systems:

  • Profiles for Specific Use Cases: SPDX 3.0 has developed six new profiles designed to cater to the most common SBOM generation and consumption scenarios, focusing on areas like security, licensing, AI, datasets, and software packaging processes. These profiles are tailored to meet diverse industry requirements, ensuring broad utility across various sectors​ (Linux Trust)​.

  • Improved Traceability for AI and Data Provenance: The new version extends the SPDX standard to better handle AI and data provenance, providing clearer traceability and management of these complex elements in software packages​ (Linux Trust)​.

  • Enhanced Accessibility and Adoption: By refining the standard to make it easier for software engineers, security professionals, and compliance officers to adopt and use, SPDX 3.0 aims to facilitate broader and more effective compliance across the software industry​ (Linux Trust)​.

  • Global Software Supply Chain Security: With a focus on international standards, SPDX 3.0 is designed to support the cybersecurity goals of regulations in the United States and Europe, enhancing the security of software dependencies and supply chains globally​ (Linux Trust)​.

Why It Matters

The integration of these updated standards will allow our users to use the latest advancements in SBOM technology, enhancing their ability to pinpoint, analyze, and mitigate risks in their software infrastructures. Effective management of software components and vulnerabilities is vital for maintaining the security and integrity of systems.

Looking Forward

With the integration of CycloneDX 1.6 and SPDX 3.0, we remain focused on providing innovative solutions that meet the dynamic needs of our clients. Implementing the latest industry standards ensures that our clients are equipped with the best tools to secure their software supply chains.

Stay tuned for further updates as we roll out these new capabilities.